Google is urging website owners to take immediate action to replace digital certificates issued by Symantec that the company has previously identified as being untrustworthy.
Starting with the April 17 release of Google’s Chrome 66 browser, all Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates that Symantec issued prior to June 1, 2016 will be fully deprecated.
After that date Chrome will flag any website that continues to use these certificates—and those issued by Symantec-owned brands such as Verisign, Thawte and Equifax—as unsafe.
Users attempting to navigate to these sites will receive a prominent error message warning them that their connection is not secure or private and display a button offering to take them “Back to safety.”
“Failure to replace these certificates will result in site breakage in upcoming versions of major browsers, including Chrome,” members of Google’s security team warned in a blog March 8.
Google has already released an early version of Chrome 66—the so-called First Canary version—on Jan 20 and any sites using the version could already be feeling the impact. Google will release the First Beta of Chrome 66 on March 15. After that date any beta users with sites running the offending certificates will start experiencing failures as well, they said.
Starting with Chrome 70, all websites with SSL/TLS certificates that Symantec issued after June 1, 2016 will be impacted in the same way. Google will release the First Canary of Chrome 70 on July 20, so website owners will start feeling the impact of the planned deprecation as early as that, the Google security team members said.
“Site operators are strongly encouraged to make the necessary changes to their sites before the First Canary release for Chrome 66 and 70, and no later than the corresponding Beta release dates,” they noted.
Google’s plans to deprecate Symantec-issued certificates are by no means unexpected. The company has warned for more than a year that Chrome would start distrusting the certificates because of concerns over Symantec’s process for issuing website certificates.
Websites use SSL/TLS certificates to establish and authenticate their identities so browsers know the sites can be trusted when users visit them. The certificates are fundamental to establishing trust online.
Symantec is one of several companies—so-called Certificate Authorities (CAs)—that were entrusted with issuing valid certificates.
But Google and others, most notably Mozilla, the maker of the Firefox browser, have said the manner in which Symantec handled its responsibilities as a CA makes its certificates untrustworthy.
Both Google and Mozilla have said that Symantec improperly allowed several third parties to issue the certificates on its behalf. The practice could have allowed shady website owners to obtain certificates that allow them to spoof other better known sites and carry out other types of malicious actions the companies have said.
Google has claimed that its investigation showed Symantec had allowed more than 30,000 SSL/TLS certificates to be issued improperly on its behalf though Symantec itself has pegged the number as far lower.
Google’s refusal to accept Symantec issued certificates prompted Symantec to sell its certificate business to DigiCert last year for about $950 million.